Description

Craft is a content management system (CMS). In versions 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22, the SSRF validation in Craft CMS’s GraphQL Asset mutation uses `gethostbyname()`, which only resolves IPv4 addresses. When a hostname has only AAAA (IPv6) records, the function returns the hostname string itself, causing the blocklist comparison to always fail and completely bypassing SSRF protection. This is a bypass of the security fix for CVE-2025-68437. Exploitation requires GraphQL schema permissions for editing assets in the `<VolumeName>` volume and creating assets in the `<VolumeName>` volume. These permissions may be granted to authenticated users with appropriate GraphQL schema access and/or Public Schema (if misconfigured with write permissions). Versions 4.16.19 and 5.8.23 patch the issue.

INFO

Published Date :

2026-02-24T02:45:45.494Z

Last Modified :

2026-02-28T02:17:18.957Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27129 vulnerability.

Vendors Products
Craftcms
  • Craft Cms
  • Craftcms
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27129.

URL Resource
https://github.com/craftcms/cms/commit/2825388b4f32fb1c9bd709027a1a1fd192d709a3 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-v2gc-rm6g-wrw9 cve-icon cve-icon
https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact